How we handle your code, credentials, and data.

All code we write lives in your repository from day one — never on our laptops as the source of truth, never in a private fork. We work via short-lived feature branches against your main branch.

When you grant repository access, it is to the named principal on the engagement. We do not share credentials internally, and access is revoked at handover.

We sign whatever IP-assignment language your standard contract requires. Default position: 100% of work-product IP transfers on payment, with the principal retaining the right to describe the engagement category (not the client, the data, or the code) for marketing.

We deploy to your AWS / GCP / Azure account, never ours. We request the minimum IAM scope needed (typically read/write on the specific services in scope, not blanket admin). We document every IAM grant before requesting it.

Production deployments use your existing CI/CD pipeline. If you do not have one, we set one up in your account using your CI provider of choice.

Secrets stay in your secret manager (AWS Secrets Manager, Vault, Doppler, 1Password, etc.). Mini Trends does not store production secrets locally beyond the duration of a single development session.

For engagements involving customer data, we work with a sanitized dev dataset wherever possible. When real data is required (regulated data, edge-case debugging), we work in your environment via your access tools — Mini Trends laptops do not store production customer data.

For RAG and AI engagements processing PII, we configure provider-side retention controls (Anthropic zero-retention, OpenAI zero-retention, Bedrock with no model improvement). We document which provider features are enabled in writing.

HIPAA: we have shipped HIPAA-aware systems, work under your existing BAA with the cloud / model provider, and sign a BAA with you if your compliance team requires one.

For our own operations: Google Workspace (email, docs), Stripe (billing), GitHub (our internal code), 1Password (credentials), Linear (work tracking).

For client engagements: only the cloud and SaaS vendors you have already approved. We do not introduce new vendors into your environment without prior sign-off.

Mini Trends itself is a US LLC. All principals are based in North America. We do not subcontract to offshore engineers without explicit, written client approval.

We carry $2M general liability + $1M errors & omissions (technology E&O). Certificate of insurance available on request before contract signing.

Additional-insured endorsements available for enterprise clients that require them.

Mini Trends is a small practice and does not currently maintain SOC 2 Type II certification. For most boutique-engineering engagements, our access scope (your repo, your cloud, your existing controls) means our SOC 2 status is not the gating factor — your existing security posture and our adherence to it is.

For engagements that require SOC 2 vendor status, we are happy to introduce you to partner shops that maintain it. We will not misrepresent our compliance posture to win an engagement.

If you believe you have found a security issue in our website (mini-trends.com) or in code we shipped to your engagement, please email security@mini-trends.com with details. We respond within 24 business hours.

We do not currently run a public bug-bounty program. We will credit responsible disclosures.